[runtime] Make sure %ForInPrepare returns the correct length.

In case the receiver map has an enum cache, %ForInPrepare returns the
length of the actual enum cache, which might include properties that
are further down the transition tree tho.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1619353002

Cr-Commit-Position: refs/heads/master@{#33469}

src/runtime/runtime-forin.cc

@@ -31,16 +31,13 @@ RUNTIME_FUNCTION_RETURN_TRIPLE(Runtime_ForInPrepare) {
   Handle<FixedArray> cache_array;
   int cache_length;
 
-  Handle<Map> receiver_map = handle(receiver->map(), isolate);
   if (cache_type->IsMap()) {
-    Handle<Map> cache_type_map =
-        handle(Handle<Map>::cast(cache_type)->map(), isolate);
-    DCHECK(cache_type_map.is_identical_to(isolate->factory()->meta_map()));
-    int enum_length = cache_type_map->EnumLength();
-    DescriptorArray* descriptors = receiver_map->instance_descriptors();
-    if (enum_length > 0 && descriptors->HasEnumCache()) {
+    Handle<Map> cache_type_map = Handle<Map>::cast(cache_type);
+    int const enum_length = cache_type_map->EnumLength();
+    DescriptorArray* descriptors = cache_type_map->instance_descriptors();
+    if (enum_length && descriptors->HasEnumCache()) {
       cache_array = handle(descriptors->GetEnumCache(), isolate);
-      cache_length = cache_array->length();
+      cache_length = enum_length;
     } else {
       cache_array = isolate->factory()->empty_fixed_array();
       cache_length = 0;

test/mjsunit/regress/regress-3650-2.js

@@ -0,0 +1,23 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = {}
+var b = {}
+a.x = 1;
+a.y = 1;
+b.x = 1;
+
+function foo(c) {
+  var s = 0;
+  for (var p in c) { s++; }
+  return s;
+}
+
+assertEquals(2, foo(a));
+assertEquals(1, foo(b));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(2, foo(a));
+assertEquals(1, foo(b));